How to prevent new installations when I have already installed my client through LAN boot?

Carsten Aulbert carsten at
Thu Feb 9 15:20:08 CET 2012


Am 2012-02-09 16:11, schrieb Thomas Neumann:
> -To skip booting from network card, you can use the command 
> fai-chboot(8)
> to enable localboot.
> +It is possible to remotely execute 'fai-chboot ...' on the fai 
> server to
> switch the installed client to localboot after the installation has
> completed. Warning: This may open up the fai installation environment 
> to
> exploits if the remote login account is not properly secured.

Sorry to chime in here, but if you require this to be added, where 
would you stop?

If a sysadmin is not aware that a remote login needs to be secured 
he/she is to blame for that.

Then the handbook needs to state also, that you need to use a very good 
root password with certain rules, when being at it, you should also make 
sure that no packages are installed which have not been reviewed by an 
independent certified third party, and finally, you need to ensure - 
before using FAI(!) - to have a fully secure network (possibly base 
encrypted - who checks the firmware for hidden backdoors?), round the 
clock guards on site and of course no-one is ever allowed to touch the 
machine to protect against memory being frozen to reveal secrets.

Sure, this last paragraph is way over the top, but I think the FAI 
handbook should possibly mention the various possiblities, but it's up 
to the actual user to decide which may or may not be suited for the 
local site.



More information about the linux-fai mailing list